An IP address in a network block attributed to Syrian government services (AS29256) is relaying activity consistent with Outlaw/mdrfckr botnet propagation. We assess this as compromised infrastructure, not state-directed activity. Our distributed honeypot network captured the relay chain end-to-end: a three-tier SSH scanning pipeline, a modern exploitation tool advertising ML-KEM-capable key exchange, the mdrfckr SSH key injection, and a 23-second automated burst of 18 reconnaissance commands. This is not new malware research. It is a field observation showing how old commodity botnets continue to exploit weak SSH hygiene and can quietly turn institutional infrastructure into relay nodes.

An SSH-delivered Linux kit observed on two honeypot sensors drops a non-root systemd-user persistence unit, then runs a 10 MB Go scanner with intact DWARF: source tree, module name skn, capability map (scanner, SOCKS5, password-change cascade with VyOS fallback, embedded HTTP listener) all visible. The loader is hardened; the scanner is not. Stage-2 C2 on connexionlost.{net,zip} → 194.5.97.46.

Single-page SOC-facing summary of the Watcher-NetAI / skn cluster - top IOCs, four triage-priority hunts, links to the YARA / Sigma / IOC bundles, controlled-sharing contact. Full analysis in the main report.

17 Windows modules dropped alongside the Linux ELF in the same Prometei drop, including a Mimikatz variant frozen since 2023, a Tor stack masquerading as MSDTC and Smart Card services, and a Linux ELF that pivots back to Windows via WinRM (5985), Redis SLAVEOF (16379), and SMBv1-era dialects. One cross-platform toolkit, walker.ini glue, server-side fingerprint of the C2.

A fresh Prometei v3/v4 ELF on a Linux honeypot, beaconing to the same C2 IP, Tor onion, and UPlugPlay disguise convention eSentire flagged on the Windows side three months earlier. The JSON-trailer schema yields a parent-peer back-pointer per bot. Postscript: four parallel binary-churn cadences in the same toolkit, including bit-identical zsvc unpacked code across drops.

42 post-auth payload deployments from 13 coordinated IPs on AS51396 over 58 hours. The eviction script that precedes each install maps the contested-infrastructure reality: Diicot self-eviction, XMRig, CNRig, Rete, and Kinsing artifacts competing on the same pools of exposed servers.